lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <201502031654.t13GsQhX012941@sf01web2.securityfocus.com>
Date: Tue, 3 Feb 2015 16:54:26 GMT
From: kingkaustubh@...com
To: bugtraq@...urityfocus.com
Subject: CVE-2015-1437  XSS In ASUS Router.

#####################################
Title:-   Reflected XSS vulnarbility in Asus RT-N10 Plus router
Author:   Kaustubh G. Padwad
Product:  ASUS Router RT-N10 Plus
Firmware: 2.1.1.1.70
Severity: HIGH
Auth:     Not requierd
CVE ID:   CVE-2015-1437 
# Description: 
Vulnerable Parameter: flag=
# Vulnerability Class:
Cross Site Scripting (https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS))

# About Vulnerability: Asus Router RT-N10 Plus with firmware 2.1.1.70 is vulnarable for crosss site scripting attack,this may cause a huge network compemise.As this does not requierd any authentication this can be a mass network compermising.      

#Technical Details: The value of the flag request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload initial78846%27%3balert("Hacked_BY_S3curity_B3ast")%2f%2f372137b5d was submitted in the flag parameter. This input was echoed unmodified in the application's response.


#Steps to Reproduce: (POC):
After setting up router
Enter this URL 
1.http://router/error_page.htm?flag=initial78846%27%3balert(document.lastmodified)%2f%2f372137b5d
2.http://router/error_page.htm?flag=initial78846%27%3balert("Hacked_BY_S3curity_B3ast")%2f%2f372137b5d


# Disclosure: 
8-jan-2015 Repoerted to ASUS 
9-jan-2015 Asus confirm that they reported to concern department
15-jan-2015 Ask for update from asus asus says reported to HQ
28-jan-2015 Ask asus about reporting security foucus No reply from ASUS
29-jan-2015 security focus bugtraq


#credits:
Kaustubh Padwad
Information Security Researcher
kingkaustubh@...com
https://twitter.com/s3curityb3ast
http://breakthesec.com
https://www.linkedin.com/in/kaustubhpadwad

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ